Dynamic meeting space configuration based on content

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign Application Serial No. 202341003606 filed in India entitled “DYNAMIC MEETING SPACE CONFIGURATION BASED ON CONTENT”, on Jan. 18, 2023, by VMware, Inc., which is herein incorporated in its entirety by reference for all purposes.

Today, enterprise meeting rooms are quickly being transformed into smart meeting spaces filled with internet-of-things (IoT) devices such as a smart displays, smart lighting, smart boards, smart conferencing solutions. Thus, each meeting space can itself be an IoT system where multiple IoT devices are operated by a controller device and may be enrolled with a management system. Thus, participants of meeting sessions held in a meeting space can control or configure each IoT device to suit the needs of the meeting session.

The present disclosure relates to dynamic meeting space configuration based on content. With the advent of IoT-enabled meeting spaces, employees and other enterprise users are faced physical security concerns when exhibiting secure enterprise content during a meeting session. For example, passersby or other unauthorized persons outside a meeting space could eavesdrop on a meeting session and thereby see or hear secure content being exhibited during the meeting session.

To address these issues, the present disclosure leverages the capabilities of IoT-enabled meeting spaces to maintain the security of enterprise resources exhibited during meeting sessions. In particular, the IoT devices within a meeting space could be dynamically configured to match a level of security necessitated by a particular enterprise resource. One the one hand, if an enterprise resource being exhibited needs no elevated security, meeting participants can have full control over the configurations of the IoT devices. On other hand, if an enterprise resource includes secure content, those IoT devices can be dynamically configured to reduce the chance of that secure content being exposed to unauthorized persons. Likewise, meeting participants may be restricted from changing the IoT devices from their secure configurations.

is a pictorial diagram illustrating an enterprise meeting space. The meeting spacecan be a room or other similar space in which employees or other persons affiliated with an enterprise can hold a meeting session. The meeting spacecan host various meeting participants, including a user having a client device. The meeting spacecan be equipped with various devices to facilitate the meeting session, including a beacon device, an edge device, and various IoT devices(e.g., IoT devices-). A user in possession of a client devicecan use an enterprise application installed on the client deviceto conduct various aspects of the meeting session, including exhibiting one or more enterprise resources(shown in) to the meeting session participants. The beacon devicecan detect the user's presence in the meeting spacevia the client device. That way, a management service(shown in) can be alerted of the user's presence and permit the user to access enterprise resources.

Then, the user can, via the client device, communicate with the edge deviceto operate the IoT devices. Using one or more of the IoT devices, the user can exhibit the enterprise resourceto the meeting participants. For example, the user can display visual elements of the enterprise resourceusing a display device, or allow participants to hear audio elements of the enterprise resourceusing a speaker device

But if the enterprise resourceincludes any secure content, the configurations of the IoT devicescan be modified to preserve security from any passersby or others who may be unauthorized to see or hear the secure content. For example, the brightness of the display deviceor the audio output volume of the speaker devicecan be limited. As another example, a lighting devicecan be dimmed, or window blindscan be closed. These modified configurations can help to reduce the chance of exposure of secure content to unauthorized persons outside the meeting space.

, shown is a network environmentaccording to various embodiments. The network environmentcan include a computing environment, one or more client devices, the beacon device, the edge device, and one or more IoT devices, which can be in data communication with each other via the network.

The networkcan include wide area networks (WANs), local area networks (LANs), personal area networks (PANs), or a combination thereof. These networks can include wired or wireless components or a combination thereof. Wired networks can include Ethernet networks, cable networks, fiber optic networks, and telephone networks such as dial-up, digital subscriber line (DSL), and integrated services digital network (ISDN) networks. Wireless networks can include cellular networks, satellite networks, Institute of Electrical and Electronic Engineers (IEEE).wireless networks (i.e., WI-FI®), BLUETOOTH® networks, microwave transmission networks, as well as other networks relying on radio broadcasts. The networkcan also include a combination of two or more networks. Examples of networkscan include the Internet, intranets, extranets, virtual private networks (VPNs), and similar networks.

The computing environmentcan include one or more computing devices that include a processor, a memory, and/or a network interface. For example, the computing devices can be configured to perform computations on behalf of other computing devices or applications. As another example, such computing devices can host and/or provide content to other computing devices in response to requests for content.

Moreover, the computing environmentcan employ a plurality of computing devices that can be arranged in one or more server banks or computer banks or other arrangements. Such computing devices can be located in a single installation or can be distributed among many different geographical locations. For example, the computing environmentcan include a plurality of computing devices that together can include a hosted computing resource, a grid computing resource or any other distributed computing arrangement. In some cases, the computing environmentcan correspond to an elastic computing resource where the allotted capacity of processing, network, storage, or other computing-related resources can vary over time.

The computing environmentcan operate as an environment for mobile device management or a Unified Endpoint Management (UEM) platform that can manage the client device(s)and edge device. In that context, the computing environmentcan execute a management service, an enterprise resource service, and potentially other applications. The computing environmentcan also include a data store.

The data storecan include memory of the computing environment, mass storage resources of the computing environment, or any other storage resources on which data can be stored by the computing environment. The data storecan include one or more databases, such as a structured query language (SQL) database, a non-SQL database, or other appropriate database. The data stored in the data store, for example, can be associated with the operation of the various applications or functional entities described below. The data storecan include one or more enterprise resources, one or more compliance rules, one or more security classifications, one or more meeting spaceprofiles, and potentially other data.

The management servicecan be executed to administer the operation of client device(s)and edge device(s)that are enrolled or otherwise registered with the management service. To that end, the management servicecan enroll the client device(s)for mobile device management or unified endpoint management (UEM) services. Accordingly, the management servicecan identify and authenticate one of the client devices. In some implementations, the management servicecan also be registered as a device administrator of the client device, permitting the management serviceto configure and manage certain operating aspects of the client device.

In some implementations, the management servicecan enroll an edge deviceupon receiving an enrollment request. The enrollment request can either be received from the client deviceor from the edge devicedirectly. The enrollment request can include, for example, an identifier for the edge deviceand an identifier for a meeting spaceassociated with the edge device. The management servicecan identify and authenticate the edge deviceby interacting with the client device. In some implementations, the management servicecan also be registered as a device administrator of the edge device, permitting the management serviceto configure and manage certain operating aspects of the edge device. The management servicecan manage the edge devicethrough the management agent

The management servicecan be notified by the client deviceand/or the edge devicewhen a user of the client deviceis located within a meeting space. In some implementations, this notification can include data regarding a user of the client device, a meeting session taking place in the meeting space, and potentially other information. The management servicecan verify the information received from the client deviceand the edge deviceusing user calendar dataand Active Directory data. The management servicecan then determine whether the client deviceand edge deviceare compliant with one or more compliance rules.

The management servicecan generate an access token. The access tokenrepresent the client device'sauthorization to access an enterprise resource. The management servicecan generate the access tokenusing MICROSOFT ACTIVE DIRECTORY data. In some implementations, the access tokencan be generated based on user calendar dataassociated with the user of the client device. The user calendar datacan include, for example, information from a reservation for the meeting spacemade by the user, data regarding the meeting session from the user calendar data, and other data regarding the meeting session.

The access tokencan remain valid during the meeting session for which the meeting spacehas been booked. Thus, the access tokencan expire based on, for example, a duration or an ending time of the meeting session. In some implementations, the management servicecan also issue a refresh token that can be used to extend a validity of the access tokenif a meeting session lasts beyond its reserved ending time or duration. For example, the management servicecan receive an extension request comprising the refresh token from the client device. In response to this extension request, the management servicecan issue another access tokento the client device. This new access tokenmay be valid for a predefined amount of time or for an amount of time specified by the extension request.

In some implementations, however, the management servicemay fail to generate the access token. The management servicemay fail to generate the access tokento block a user's request to access the meeting spacebased on the existence of some inappropriate condition. For example, there could exist a condition that compromises the security of the meeting space, information received from the client deviceand the edge devicecould be incorrect, or the client deviceand/or edge devicecould be out of compliance with one or more of the compliance rules. In that case, the management servicecan notify the user via the user's client deviceor via one or more of the IoT devices. This notification can include the reason(s) why the management servicefailed to generate the access token, including any inappropriate conditions that contributed to the failure.

If the management servicesuccessfully generates the access token, the management servicecan provide the access tokento the client deviceand the edge device. The management servicecan receive a request from the client deviceregarding the security classification of a particular enterprise resource. The management servicecan determine the security classification of the enterprise resourcefrom the security classifications. The management servicecan notify the edge deviceof the security classification for the enterprise resource.

The enterprise resource servicecan be executed to handle requests to access enterprise resources. For example, the enterprise resource servicecan receive a request to access a particular enterprise resourcefrom client device. This request can include an access tokenthat proves the client device'sauthorization to access the enterprise resource. After validating the access token, the enterprise resource servicecan provide the enterprise resourceto the client device.

The enterprise resource(s)can represent content associated with an enterprise. Enterprise resourcescan include any electronic data associated with an enterprise, such as databases, applications, text files, word processor files, spreadsheet files, presentation files, graphic files, audio files, photographic files, video files, applications and application files, and/or the like. An enterprise resourcecan be associated with security classificationsthat includes a security classification for that enterprise resource.

The one or more compliance rulescan represent, for example, configurable criteria that must be satisfied for the client deviceor edge deviceto be in compliance with the management service. The compliance rulescan be based on a number of factors, including geographical location, activation status, enrollment status, and authentication data including authentication data obtained by a device registration system, time, and date, and network properties, among other factors associated with each device. The compliance rulescan also be determined based on a user account associated with a user of the client device. Compliance rulescan include predefined constraints that must be met for the management service, or other applications, to permit access to the enterprise resources. The management servicecan communicate with management agentto determine whether states exist on the client deviceor edge devicethat do not satisfy one or more compliance rules. States can include, for example, a virus or malware being detected on the device, violation of a baseline or verified behavior classification, installation or execution of a blacklisted application, and a device being “rooted” or “jailbroken,” where root access is provided to a user of the device. Additional states can include the presence of particular files, questionable device configurations, vulnerable versions of applications, vulnerable states of client devicesor edge device, or other vulnerability, as can be appreciated.

The security classificationscan represent data for each enterprise resourceregarding a level of security to be implemented within a meeting spacewhere that enterprise resourceis being exhibited. A security classification can include, for example, Normal, Secure, and Highly Secure, though other security classifications can be configured by an administrator.

A Normal security classification can indicate that the meeting spacemay be in an unsecured state, and any IoT devicestherein may remain in a default or current configuration when an associated enterprise resourceis exhibited. In addition, under a Normal Security classification, a user of the client device(or other user) may have full control over the configuration and operation of the IoT devices.

A Secure security classification can indicate that the meeting spacemust be under some elevated level of security, and the IoT devicescan be configured to mitigate any security risks presented by the manner in which the enterprise resourceis exhibited. In addition, under a Secure security classification, users may have permissions to exercise partial control over the configuration and operation of the IoT devices.

A Highly Secure security classification can indicate that the meeting spacemust be under a greatest possible level of security, and IoT devicesmust be in a predefined Highly Secure configuration. Under a Highly Secure security classification, users' permissions for the IoT devicescan be highly restricted such that a user must individually override the individual settings of each IoT device'sHighly Secure configuration. In some implementations, a user may be prompted using the client deviceor one of the IoT devicesto accept an acknowledgement of the risks involved in changing a IoT device'sconfiguration away from the predefined Highly Secure configuration.

The meeting spaceprofilescan represent the various security configurations for the IoT devicesin different meeting space. For example, the meeting spaceprofilefor a particular meeting spacecan include the security configurations of each IoT devicein that meeting spacefor each possible security classification. In some implementations, the meeting spaceprofilescan further include user permissions for each IoT deviceunder each security configuration. The meeting spaceprofilescan be configured by an administrator.

The calendar datacan represent meeting sessions and other events that a user intends to attend. The calendar datacan indicate meeting space, date, time, any other relevant information concerning a meeting session. When a user adds a new meeting session to the user's calendar or modifies the information concerning an existing meeting session, the client devicecan provide this information to the management service, which can update the calendar dataaccordingly.

The client devicecan represent one or more client devices coupled to the network. The client devicecan include a processor-based system such as a computer system. Such a computer system can be embodied in the form of a personal computer (e.g., a desktop computer, a laptop computer, or similar device), a mobile computing device (e.g., personal digital assistants, cellular telephones, smartphones, web pads, tablet computer systems, music players, portable game consoles, electronic book readers, and similar devices), media playback devices (e.g., media streaming devices, BluRay® players, digital video disc (DVD) players, set-top boxes, and similar devices), a videogame console, or other devices with like capability. The client devicecan include one or more displays, such as liquid crystal displays (LCDs), gas plasma-based flat panel displays, organic light emitting diode (OLED) displays, electrophoretic ink (“E-ink”) displays, projectors, or other types of display devices. In some instances, the display can be a component of the client deviceor can be connected to the primary client devicethrough a wired or wireless connection. The client devicecan be configured to execute various applications such as a management agentand potentially other applications.

The client applicationcan be executed to access network content served up by the computing environmentor other servers or computing devices, thereby rendering a user interface on a display. To this end, the client applicationcan include a browser, a dedicated application, or other executable, and the user interface can include a network page, an application screen, or other user mechanism for obtaining user input. The client devicecan be configured to execute applications beyond the client applicationsuch as email applications, social networking applications, word processors, spreadsheets, or other applications.

The client applicationcan access an enterprise resourceusing an access tokenprovided by the management agent. For example, the client applicationcan provide an access request including the access tokento the enterprise resourceservice. The access request can also include an identifier or locator for the enterprise resource. In return, the client applicationcan receive the enterprise resourcefrom the enterprise resourceservice.

Once the client applicationaccesses an enterprise resource, a user of the client devicemay prompt the client applicationto cause the enterprise resourceto be exhibited using a designated IoT device. For example, the user may wish the client applicationto project or stream the enterprise resourceon a IoT devicesuch as a display or a speaker, thereby exhibiting the enterprise resourceto all of the participants of the meeting session.

Before exhibiting the enterprise resourceon the designated IoT device, however, the client applicationcan determine a security classification of the enterprise resource. For example, the client applicationcan request information regarding the security classification for enterprise resourcefrom the management servicewhen the user attempts to exhibit the enterprise resource. As another example, the client applicationcould have requested this information from the management servicebefore the meeting session began if the client applicationis able to determine that the particular enterprise resourcewill be exhibited during the meeting session. For instance, the client applicationcould have made this determination based on the user's calendar data. As yet another example, the client applicationcan itself determine the security classification of the enterprise resource. The client applicationcan make this determination based on, for example, keywords in the user's calendar data, information from the meeting spacereservation, or the user's calendar data. The client applicationcan attempt to identify keywords that have been associated with previously exhibited enterprise resourcesclassified as Normal, Secure, and Highly Secure.

In some implementations, the client applicationcan notify the edge deviceof the security classification for the enterprise resource. In other implementations, however, the edge devicecan instead be notified of the security classification for the enterprise resourceby the management service. The client applicationcan be notified by the management agentor by the edge devicedirectly once the IoT devicesare in the appropriate security configuration. The client applicationcan then cause the enterprise resourceto be exhibited on the designated IoT device.

The management agentcan be installed on the client deviceto facilitate management of the client deviceby the management service. The management agentcan be installed with elevated privileges or be effectuated through operating system APIs to manage the primary client deviceon behalf of the management service. The management agentcan have the authority to manage data on the primary client device; install, remove, or disable certain applications; or install configuration profiles, such as VPN certificates, Wi-Fi profiles, email profiles, or other profiles for configuring various functions or applications of the primary client device.

The management agentcan detect that the client devicehas entered a meeting space. For example, the management agentcan detect a beacon or signal transmitted by a beacon deviceassociated with and/or located within the meeting space. In some implementations, the management agentcan identify the beacon devicebased on a universally unique identifier included in the beacon or signal, where unique identifier identifies the beacon deviceitself or the meeting spacewithin which the beacon device is located.

The management agentcan provide the beacon devicewith information regarding a user of the client device. The management agentcan likewise receive information regarding the meeting spacefrom the beacon device. This information can be exchanged using nearby available peer-to-peer (P2P) channels. The management agentcan then notify the management servicethat the user is located within the meeting space.

The management agentcan receive an access tokenfrom the management service. The management agentcan then provide that access tokento the client applicationto access an enterprise resource. If the access tokenexpires before the meeting session has ended, the management agentcan request an extension of the access tokenfrom the management service.

The management agentcan be notified once the edge devicehas configured the IoT devicesaccording to the security classification of the enterprise resource. The management agentcan then notify client applicationthat the enterprise resourcemay be exhibited.

The beacon devicecan represent a wireless device located within or associated with a particular meeting spacethat can detect when the client deviceenters the meeting space. To illustrate, the beacon devicecan generate a beacon or another signal that can be detected by the client device. This beacon or signal can include, for example, a near-field communication (NFC), radio frequency identification (RFID), Bluetooth, Bluetooth Low Energy, or other form of wireless communication signal. In some implementations, the beacon or signal can include a universally unique identifier of the beacon deviceitself or the meeting spacewithin which the beacon device is located. The beacon devicecan detect a signal received from the client devicethat includes, for example, an identifier associated with the client device.

The beacon devicecan provide information regarding the meeting spaceto the client device. The beacon devicecan likewise receive information regarding a user of the client devicefrom the client device. This information can be exchanged using nearby P2P channels. The beacon devicecan then provide the information regarding the user to the edge device.

The edge devicecan be representative of one or more edge devices. The edge devicecan include a processor, network communication hardware, and a memory including executable instructions for communicating with the management service, client device, beacon device, and/or IoT devices. The edge devicecan also be equipped with networking capability or networking interfaces, including a localized networking or communication capability, such as a near-field communication (NFC) capability, radio-frequency identification (RFID) read or write capability, or other localized communication capability. While referred to as an edge device, the edge devicecan also be representative of routing switches, integrated access devices (IADs), multiplexers, and a variety of metropolitan area network (MAN) and wide area network (WAN) access devices, and other edge devices.

The edge devicecan coordinate, control, and otherwise manage the IoT deviceswithin a meeting space. In some implementations, the edge devicecan provide network access to the IoT devices, as well as implement enrollment processes and gathering IoT metric data based on IoT devicecommunications with the edge device. The edge deviceitself can be managed by the management agentexecuting on the client device.

The edge devicecan notify the management servicewhen a user (and the user's client device) is detected in a meeting space. After the beacon devicedetects and exchanges data with the client deviceIn some implementations, the edge devicecan provide information regarding a user of the client deviceto the management service. This information can be received from the beacon deviceafter the beacon devicedetects the user entering the meeting spacewith the user's client device.

The edge devicecan be enrolled with the management service. During setup, the edge devicecan, in some implementations, provide an enrollment request to the management agentexecuting on the client device, which can in turn provide the enrollment request to the management service. In other implementations, however, the edge deviceprovide the enrollment request directly to the management service. The enrollment request can include, for example, an identifier for the edge deviceand an identifier for the meeting space. In return, the edge devicecan receive an enrollment confirmation from the management serviceor management agent. In some implementations, the enrollment confirmation can include a meeting spaceprofileassociated with the meeting spacecorresponding to the edge device.

The edge devicecan be notified of a security classificationof an enterprise resource. The edge devicecan be notified of the security classificationby the management serviceor by the client device. The edge devicecan notified of the security classificationwhen a user of the client deviceattempts to exhibit the corresponding enterprise resourceusing a IoT device. This security classificationcan be used in configuration of the IoT devices.

The edge devicecan configure the IoT devicesaccording to the security classificationof the enterprise resource. For each IoT device, the edge devicecan determine what security configuration of that IoT devicecorresponds to the security classification of the enterprise resource. The edge devicecan make this determination using the meeting spaceprofilefor the meeting spacein which the IoT devicesare located. The meeting spaceprofilecan indicate one or more configuration settings corresponding to the enterprise resource'ssecurity classificationfor each IoT device.

The edge devicecan then generate commands to configure each IoT devicebased on the security classification. For example, given an enterprise resourcewith a Highly Secure security classification, the edge devicecan generate a command to configure a speaker such that its audio output does not exceed a low threshold volume. As another example using the same the enterprise resource, the edge devicecan generate a command to configure a retractable window screen to remain closed. The edge devicecan then provide each command to its corresponding IoT device. In some implementations, the edge devicemay receive a confirmation from each IoT deviceonce it has been successfully configured. Once the IoT deviceshave been configured, the edge devicecan notify the client devicethat the IoT deviceshave been configured.

When an exhibited enterprise resourcehas a Normal security classification, the edge devicecan maintain the IoT devicesin a default or current configuration. Likewise, the edge devicecan permit a user of the client device(or other user) to exercise unrestricted control over each IoT device.